Scroll Top
9086 Győr - Reservoir, Outdoor area 078/29
+3696 900 490
hotel@landplanhotel.hu

GDPR

1. Purpose of the Regulations

This Data Management and Data Protection Policy (hereinafter referred to as the Policy) regulates the data management processes of natural persons by the Data Controller and ensures the rights of Data Subjects. The purpose of the Policy is to determine the technical and organizational measures related to the processing and protection of personal data. The Policy is an internal document of the Data Controller and the information on public data management and data protection in accordance with data protection legislation is contained in the data protection and data management information.

1.1. Data of the Data Controller

The current data of the Data Controller are as follows:
  • Name: Land Plan Ltd.
  • Headquarters: 9012 Győr, Ménfői u. 64.
  • Company registration number: 08-09-028190
  • Tax number: 25586505-2-08
  • Court of registration: Győr Commercial Court
  • Phone number: +3696 900 490
  • Email CIM: hotel@landplanhotel.hu

2. Scope of the Regulations

2.1. Temporal scope

The Regulations shall enter into force on 2018.05.25. The Regulations shall remain in force until the Data Controller ceases to exist or until a new Regulation is established with the simultaneous repeal of this Regulation.

2.2. Personal scope

The scope of the Regulations covers:

  • to the natural persons in relation to whom the Data Controller manages or processes personal data (Data Subject),
  • persons performing data processing activities on behalf of the Data Controller (employees or persons in another employment relationship),
  • persons carrying out data processing activities on behalf of the data processor (employees or persons in another employment relationship).

All employees of the Data Controller or other collaborators in a legal relationship for work are obliged to perform all activities within their own scope of work or duties in order to facilitate and implement the provisions of this Policy.

2.3. Subject matter scope

The material scope of the Policy covers personal data managed or processed by the Data Controller in the course of data management activities falling within the personal scope of this Policy.

3. Data protection and data security legislation

The laws with data protection and data security content for the purposes of this Policy are in particular the following:

  1. REGULATION (EU) 2016/27 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 2016 April 679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR),
  2. Act CXII of 2011 on the Right to Informational Self-Determination and Freedom of Information (hereinafter referred to as the Information Act),
  3. Act V of 2013 on the Civil Code (hereinafter referred to as the Civil Code),
  4. Act CXIX of 2011 on the processing of name and address data for the purpose of research and direct marketing
  5. Act XLVIII.tv (Grt.) of 2008 on the basic conditions and certain limitations of economic advertising activity
  6. Act CVIII of 2001 on certain issues of electronic commerce services and services related to the information society (Ekertv.)
  7. Act C of 2000 on Accounting (Accounting Act),
  8. Act CLV of 1997 on Consumer Protection (Fgytv.).
  9. Act CXXXIII of 2005 on the rules of personal and property protection and private detective activities
  10. Act I of 2012 on the Labor Code (Mt.)

4. Concept definitions

Personal data: any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, a number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR Article 4(1)).

  • Data subject: an identified or identifiable natural person (GDPR Article 4.)
  • Data processing: any operation or set of operations which is performed on personal data or data files, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (GDPR Article 4.)
  • Restriction of processing: marking of stored personal data with the aim of restricting their future processing (GDPR Article 4(3))
  • Data controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of the processing are determined by Union or Member State law, the controller or the specific criteria for the designation of the controller may also be determined by Union or Member State law (Article 4(7) of the GDPR).
  • Data processor: the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the data controller (GDPR Article 4 8)
  • Recipient: the natural or legal person, public authority, agency or any other body to which personal data are disclosed, whether or not a third party. Public authorities which have access to personal data in the context of a specific investigation in accordance with Union or Member State law shall not be considered recipients; the processing of such data by such public authorities shall comply with the applicable data protection rules in accordance with the purposes of the processing (Article 4(9) of the GDPR).
  • Consent of the Data Subject: any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which the Data Subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her (Article 4(11) of the GDPR).
  • Data breach: a breach of security that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (GDPR Article 4(12))
  • Supervisory authority: an independent public authority established by a Member State in accordance with Article 51 (GDPR Article 4 21)

5. Data protection and data security rules

5.1. Basic principles

The Data Controller respects the principles regarding the processing of personal data set out in Article 5 of the GDPR, according to which:

"(1) Personal data:

  1. (a) it must be processed lawfully and fairly and in a manner which is transparent to the data subject ("lawfulness, fairness and transparency");
  2. (b) collected for specified, explicit and legitimate purposes and not treated in a way incompatible with those purposes; further processing for data purposes for archiving purposes in the public interest, for scientific and historical research purposes or for statistical purposes ("purpose limitation") shall not be considered incompatible with the original purpose in accordance with Article 89 (1);
  3. (c) be appropriate and relevant to the purposes for which the data are processed and limited to what is necessary ("data saving");
  4. (d) be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data which are inaccurate for the purposes of data processing are erased or rectified without delay ("accuracy");
  5. (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for a longer period only if the processing of personal data is carried out in accordance with Article 89 (1) for archiving in the public interest, for scientific and historical research purposes or for statistical purposes, in accordance with this Regulation; subject to the implementation of appropriate technical and organizational measures to protect their freedoms ("limited storage");
  6. (f) processed in such a way as to ensure the adequate security of personal data, including the protection against unauthorized or unlawful processing, accidental loss, destruction or damage to personal data, by applying appropriate technical or organizational measures ("integrity and confidentiality").

(2) The controller shall be responsible for compliance with paragraph (1) and shall be able to demonstrate such compliance (“accountability”).

The Data Controller ensures compliance with the above principles in particular as follows:

  • the definition of the legal bases under point a) is contained in the register of data processing activities (AKNy),
  • The purpose definition of the data processing activity according to point b) is contained in the sample document of the Data Controller's purpose definitions in Annex 1, the sample of the data processing register is contained in Annex 2,
  • The scope of personal data processed pursuant to point c) is included in the AKNy,
  • The duration of data processing pursuant to point ad) is included in the AKNy,
  • the organizational and technical measures related to data storage and data deletion pursuant to point e) (or reference to them) are included in this Policy,
  • the organizational and technical measures referred to in point f) (or a reference to them) are included in these Regulations,
  • In order to comply with the principle of accountability, documentation obligations are included in this Policy.

5.2. Lawfulness of data processing

5.2.1. Legal basis for processing personal data

The Data Controller processes personal data only in the following cases and on the following legal grounds:

  1. the Data Subject has given consent to the processing of his/her personal data for one or more specific purposes /GDPR Article 31 (1) a)/,
  2. the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract /GDPR Article 31 (1) b)/,
  3. the data processing is necessary for the fulfillment of a legal obligation to which the Data Controller is subject /GDPR Article 31 (1) c)/,
  4. the processing is necessary to protect the vital interests of the Data Subject or of another natural person /GDPR Article 31 (1) d)/,
  5. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller /GDPR Article 31 (1) e)/,
  6. the processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, unless these interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of personal data, in particular where the Data Subject is a child /GDPR Article 31 (1) f)/.

The Data Controller carries out data processing predominantly on the basis of the legal bases set out in points ab), c) and f), and to a lesser extent on the basis of the legal base set out in point a). The use of the legal bases set out in points d) and e) for data processing is not typical for the Data Controller. The precise legal bases for individual data processing activities are contained in the AKNy.

5.2.2. Documentation obligation related to the legal bases for data processing

5.2.2.1. Contribution

If the Data Controller indicates consent as the legal basis for data processing, the Data Controller must be able to demonstrate that the Data Subject has given his or her consent to the processing of his or her personal data by a voluntary, specific and clearly stated statement based on adequate information. Consent is a statement or affirmation that clearly expresses and signifies agreement to the processing of personal data concerning or relating to him or her.

The Data Controller processes data belonging to special categories of personal data only in the following cases:

– based on the express consent of the Data Subject,

– in the case of an employee, in order to fulfill a legal obligation based on legislation relating to employment, social security and protection.

The Data Controller shall return the document containing sensitive data sent by the Data Subject to the Data Controller without making a copy and without processing the data contained therein, with the exception of documents or data subject to data processing due to the fulfillment of a legal obligation.

The Data Subject's personal data may only be processed on the basis of consent after the Data Subject's documented consent statement is available on paper or electronically. The Data Controller shall establish a document template for the Data Subject's consent.

5.2.2.2. Balancing of interests test

If the Data Protection Authority identifies legitimate interest as the legal basis for data processing, a balancing test must be conducted and documented. The balancing test determines the legitimate interest of the Data Controller (or a third party), the interests, fundamental rights and freedoms of the Data Subject, and the consideration is based on these factors. If the result of the consideration is not clearly positive, additional safeguards must be applied to protect the rights of the Data Subject.

In the case of legitimate interest, personal data may only be processed – taking into account the principle of accountability – after carrying out a balancing test and documenting it in writing.

The balancing test must be prepared with the involvement of the Data Protection Officer and the legal representative before data processing begins.

The written documentation of the balancing tests is kept by the Data Protection Officer.

5.3. Regulations on the protection of the rights of Data Subjects

5.3.1. Right to transparent information and communication

5.3.1.1. GDPR Article 12 “(1) The controller shall take appropriate measures to provide the data subject with all information concerning the processing of personal data referred to in Articles 13 and 14 and with any information pursuant to Articles 15 to 22 and 34 in a concise, transparent, intelligible and easily accessible form, in clear and plain language, in particular for any information addressed to children. The information shall be provided in writing or by any other means, including, where appropriate, by electronic means. At the request of the data subject, information may also be provided orally, provided that the data subject’s identity has been otherwise verified.

(2) The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22.

The Data Controller provides information regarding the processing of personal data to the Data Subjects in the form of a Notice. The Notice contains the information in a concise, transparent, understandable and easily accessible format, in clear and plain language. The Notice is provided to the Data Subject in writing (on paper or electronically).

The Data Controller shall establish document templates in accordance with the mandatory content elements set out in Articles 13-14 of the GDPR, the dates of which Notifications shall be made in accordance with the legislation in a separate list.

The Notices must be provided at the following times, taking into account the specific circumstances of the processing of personal data:

  • if the personal data was obtained from the Data Subject, at the time of acquisition,
  • if the personal data were not obtained from the Data Subject, within a reasonable time frame from the date of obtaining the personal data, but no later than one month,
  • if the personal data are used for the purpose of communicating with the Data Subject, at least upon first contact with the Data Subject, or
  • if the data are expected to be communicated to other recipients, at the latest when the personal data are communicated for the first time,
  • If the Controller intends to process personal data for a purpose other than that for which they were collected, the Controller must inform the Data Subject of this different purpose and of any relevant additional information referred to in Article 14(2) of the GDPR prior to further processing.

Pursuant to Article 14(5) of the GDPR, the Data Controller is entitled to refuse the exercise of the data subject's right to information in the following cases:

  1. a) the Data Subject already has the information,
  2. b) providing the information is impossible, would require a disproportionate effort or would render impossible or jeopardise the achievement of the purpose of the data processing and for which the Data Controller has taken appropriate measures to protect the legitimate interests of the Data Subject,
  3. c) in the case of an express legal provision that simultaneously provides for the protection of the legitimate interests of the Data Subject,
  4. d) if the data processing must remain confidential due to a statutory professional secrecy obligation or a statutory confidentiality obligation.

GDPR Article 12(2) “In the cases referred to in Article 11(2), the controller shall not refuse to act on the data subject’s request to exercise the rights under Articles 15 to 22 unless the controller demonstrates that the data subject cannot be identified.

(3) The controller shall inform the data subject without undue delay, and in any event not later than one month from the date of receipt of the request, of the action taken on the request pursuant to Articles 15 to 22. Where necessary, taking into account the complexity of the request and the number of requests, this period may be extended by a further two months. The controller shall inform the data subject of the extension of the period, stating the reasons for the delay, within one month from the date of receipt of the request. Where the data subject has submitted the request electronically, the information shall be provided, where possible, electronically, unless the data subject otherwise requests.

(4) If the controller does not take action on the request of the data subject, it shall inform the data subject without delay, but at the latest within one month of receipt of the request, of the reasons for the failure to take action and of the fact that the data subject may lodge a complaint with a supervisory authority and exercise his or her right to a judicial remedy.

(5) The information referred to in Articles 13 and 14 and the information and action referred to in Articles 15 to 22 and 34 shall be provided free of charge. Where the request of the data subject is manifestly unfounded or excessive, in particular because of its repetitive nature, the controller shall, taking into account the administrative costs involved in providing the information or communication requested or in taking the action requested:

  1. a) charge a reasonable fee, or
  2. b) may refuse to take action on the request.

The burden of proving that the request is clearly unfounded or excessive shall be on the data controller.

(6) Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making a request pursuant to Articles 15 to 21, he may request the provision of further information necessary to confirm the identity of the data subject.

(7) The information to be provided to the data subject pursuant to Articles 13 and 14 may be supplemented by standardised icons in order to provide the data subject with general information about the intended processing in a clearly visible, easily understandable and legible form. The icons displayed electronically shall be machine-readable.

GDPR Article 11 "(Processing of data not requiring identification)

(1) Where the purposes for which the controller processes personal data do not or no longer require the identification of the data subject by the controller, the controller shall not be obliged to store, obtain or process additional information in order to identify the data subject solely for the purpose of complying with this Regulation.

(2) Where, in the cases referred to in paragraph 1 of this Article, the controller can demonstrate that he is not in a position to identify the data subject, he shall, where possible, inform the data subject accordingly. In such cases, Articles 15 to 20 shall not apply unless the data subject provides additional information enabling him to be identified for the purpose of exercising his rights under those Articles.’

Following the documented (filed) submission of the Data Subject's request to exercise his/her rights under Articles 15-22 of the GDPR, the Data Controller shall examine it through the employee performing the data processing activity, and, if necessary, with the involvement of the Data Protection Officer or the Data Controller's legal representative, in order to determine:

– the request was submitted by an identifiable Data Subject or a person authorized to do so,

– the exercise of which right the request relates to,

– whether the Data Controller is obliged to comply with the request.

After examining the request, the Data Controller's employee performing data processing activities will prepare a draft of the feedback and submit it to the Data Protection Officer for comment, and then provide feedback to the person submitting the request without undue delay, but no later than within one month and free of charge:

  • Action taken by the data controller,
  • Failure to take action by the data controller (including extension of the feedback deadline) and the reasons for this according to the law,
  • information on legal remedies (the Data Subject may file a complaint with the Supervisory Authority and exercise his/her right to judicial remedy),
  • additional information related to the request, information on the processing of this data by the Data Controller during identification.

The Data Controller establishes document templates in order to issue feedback (response letters) in a uniform and legal manner.

The one-month response deadline available to the Data Controller may be extended by a further two months if justified by the complexity of the request and the number of requests.

The Data Controller may refuse to act on a request submitted by the Data Subject or may charge a reasonable fee for the requested information or the administrative costs of taking the action if the request is demonstrably and clearly unfounded or excessive (in particular due to its repetitive nature).

If the Recipient is also involved in the request, the Recipient must be informed at the same time as the feedback (response letter) is sent.

5.3.2. Right of access of the Data Subject

GDPR Article 15 “(1) The data subject shall have the right to obtain from the controller information as to whether or not personal data concerning him or her are being processed and, where such processing is taking place, access to the personal data and to the following information:

  1. a) the purposes of data processing;
  2. (b) the categories of personal data concerned;
  3. (c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, including in particular recipients in third countries or international organisations;
  4. (d) where applicable, the planned period for which the personal data will be stored or, if this is not possible, the criteria for determining this period;
  5. e) the right of the data subject to request from the controller the rectification, erasure or restriction of processing of personal data concerning him or her and to object to the processing of such personal data;
  6. (f) the right to lodge a complaint with a supervisory authority;
  7. g) if the data were not collected from the data subject, all available information on their source;
  8. (h) the fact of automated decision-making referred to in Article 22(1) and (4), including profiling, and at least in such cases, intelligible information on the logic involved and the significance and foreseeable consequences of such processing for the data subject.

(2) Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards for the transfer in accordance with Article 46.

(3) The controller shall provide the data subject with a copy of the personal data which are the subject of the processing. For further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject has submitted the request electronically, the information shall be provided in a widely used electronic format, unless the data subject requests otherwise.

(4) The right to request a copy referred to in paragraph (3) shall not adversely affect the rights and freedoms of others.”

If the Data Subject requests a copy of his/her personal data from the Data Controller, the data will be provided free of charge for the first time. If the Data Subject requests further copies, the Data Controller is entitled to charge a reasonable fee based on administrative costs.

However, the request by the Data Subject for a copy of his/her personal data and its fulfillment may not adversely affect the rights and freedoms of others, so a document containing data relating to other Data Subjects may only be issued after appropriate anonymization.

A copy of personal data means only a copy of the personal data stored by the Data Controller, but does not include a copy of any document (including paper and electronic documents) created using the personal data, for which the Data Controller is not obliged to provide a copy under the GDPR.

5.3.3. Right to rectification

GDPR Article 16 “The data subject shall have the right to obtain from the controller, at his or her request, the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary statement.”

GDPR Article 19 “The controller shall inform any recipient of any rectification pursuant to Article 16… to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the data subject of those recipients.”

5.3.4. Right to erasure (“right to be forgotten”)

GDPR Article 17 “(1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall be obliged to erase personal data concerning him or her without undue delay where one of the following grounds applies:

  1. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. (b) the data subject withdraws his or her consent which was the basis for the processing pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing;
  3. (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. d) the personal data have been processed unlawfully;
  5. (e) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject;
  6. (f) the personal data were collected in connection with the provision of information society services referred to in Article 8(1).

(2) Where the controller has made personal data public and is obliged to erase them pursuant to paragraph (1), the controller, taking into account available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the data that the data subject has requested the erasure of links to, or copies or replications of, the personal data concerned.

(3) Paragraphs (1) and (2) shall not apply if the processing is necessary:

  1. a) for the purpose of exercising the right to freedom of expression and information;
  2. b) for compliance with an obligation to process personal data under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. (c) on grounds of public interest in the field of public health, in accordance with points (h) and (i) of Article 9(2) and Article 9(3);
  4. (d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes in accordance with Article 89(1), where the right referred to in paragraph 1 would likely render impossible or seriously jeopardise such processing; or
  5. e) for the establishment, exercise or defense of legal claims.”

GDPR Article 19: “The controller shall inform any recipient of any ….. erasure pursuant to Article 17(1) …. to whom or by whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the data subject of those recipients.”

The Data Subject has the right to request that the Data Controller erase personal data concerning him or her without undue delay, and the Data Controller is obliged to erase personal data concerning the Data Subject without undue delay if one of the following reasons applies:

  1. a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  2. b) the Data Subject withdraws his/her consent, which is the basis for the processing of his/her general personal data or special data, and there is no other legal basis for the processing;
  3. c) the Data Subject objects to the processing of data on grounds of public interest, public authority or legitimate interest, and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing of his or her data for direct marketing purposes, including profiling, if it is related to direct marketing;
  4. d) the personal data have been processed unlawfully;
  5. e) the personal data must be erased for compliance with a legal obligation under Union or Member State law applicable to the Controller;
  6. f) the personal data were collected in connection with the provision of information society services directly to children.

The Data Subject's right to erasure may be restricted and the Data Controller may lawfully continue to process the data requested to be erased in the following cases:

  1. a) for the purpose of exercising the right to freedom of expression and information,
  2. b) for the purpose of fulfilling an obligation under EU or Member State law to which the Controller is subject to the processing of personal data, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
  3. c) the processing is necessary for preventive health or occupational health purposes, for assessing the employee's ability to work, for making a medical diagnosis, for providing health or social care or treatment, or for the management of health or social systems and services, on the basis of Union or Member State law or pursuant to a contract concluded with a healthcare professional, subject to the professional's obligation of confidentiality as a guarantee, and on the basis of public interest in the field of public health,
  4. d) for archiving purposes in the public interest, scientific and historical research purposes or statistical purposes, where a right to erasure would likely render such processing impossible or seriously jeopardise such processing, or
  5. e) for the establishment, exercise or defense of legal claims.

5.3.5. Right to restrict data processing

GDPR Article 18 “(1) The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. a) the data subject disputes the accuracy of the personal data, in which case the restriction shall apply for a period of time enabling the controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes the erasure of the data and instead requests the restriction of their use;
  3. c) the controller no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise or defence of legal claims; or
  4. (d) the data subject has objected to the processing pursuant to Article 21(1); in such a case, the restriction shall apply for a period of time until it is determined whether the legitimate grounds of the controller override those of the data subject.

(2) Where processing is subject to restrictions pursuant to paragraph 1, such personal data may, with the exception of storage, only be processed with the consent of the data subject, or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for important reasons of public interest of the Union or of a Member State.

(3) The data controller shall inform the data subject, at whose request the data processing has been restricted pursuant to paragraph (1), in advance of the lifting of the restriction of data processing.”

GDPR Article 19 “The controller shall inform any recipient to whom the personal data have been disclosed of any …. restrictions on processing pursuant to Article 18, unless this proves impossible or involves a disproportionate effort. Upon request, the controller shall inform the data subject of those recipients.”

Restriction of data processing is primarily a temporary measure until a claim is assessed or action is taken.

It may be stored under the restriction of data processing and processed in the following cases:

– with the consent of the Data Subject, or

– to establish, exercise or defend legal claims, or

– in order to protect the rights of another natural or legal person, or

– in the important public interest of the Union or of a Member State.

5.3.6. The right to data portability

GDPR Article 20 “(1) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and shall have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, where:

  1. (a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  2. b) the data processing is carried out in an automated manner.

(2) When exercising the right to data portability pursuant to paragraph (1), the data subject shall have the right to request the direct transmission of personal data between data controllers, where technically feasible.

(3) The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. That right shall not apply where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(4) The right referred to in paragraph (1) shall not adversely affect the rights and freedoms of others.”

The Data Subject is entitled to exercise the right to data portability only in relation to the data concerning him/her and provided to the Data Controller by him/her if:

– the processing of personal data or sensitive personal data is based on the legal basis of consent or on the legal basis of a contract and

– data processing is carried out in an automated manner.

The right to data portability does not infringe the right to erasure and data portability does not mean the erasure of data. The right to data portability means the portability of personal data stored in the Controller's records and does not mean the portability of paper or electronic documents containing the data.

5.3.7. Right to protest

GDPR Article 21 “(1) The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her based on point (e) or (f) of Article 6(1), including profiling based on those provisions. In such a case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

(2) If personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such purposes, including profiling where it is related to direct marketing.

(3) If the data subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for this purpose.

(4) The right referred to in paragraphs (1) and (2) shall be expressly brought to the attention of the data subject at the latest during the first contact, and the information relating to it shall be displayed clearly and separately from all other information.

(5) In connection with the use of information society services and by way of derogation from Directive 2002/58/EC, the data subject may also exercise the right to object by automated means based on technical specifications.

(6) Where personal data are processed for scientific and historical research purposes or for statistical purposes in accordance with Article 89(1), the data subject shall have the right to object, on grounds relating to his or her particular situation, to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.’

The Data Subject has the right to object to the processing of his/her personal data with the Data Controller only for reasons related to his/her own situation in the following cases:

– in the public interest, in the case of data processing based on the legal basis of public authority or the legal basis of legitimate interest (in which case the Data Controller may only further process the data if it proves the legal basis of the Data Controller's legitimate interest), or

– in the case of data processing for direct marketing purposes, including profiling, if it is related to direct marketing (in which case the data can no longer be processed but must be deleted), or

– the data is processed for scientific and historical research purposes or statistical purposes and there is no legal basis for the performance of a task carried out for reasons of public interest.

5.3.8. Automated decision making in individual cases, including profiling

GDPR Article 22 “(1) The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

(2) Paragraph (1) shall not apply if the decision:

  1. a) necessary for the conclusion or performance of a contract between the data subject and the data controller;
  2. (b) it is permitted by Union or Member State law applicable to the controller and which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
  3. (c) is based on the explicit consent of the data subject.

(3) In the cases referred to in points (a) and (c) of paragraph (2), the controller shall take suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject, including at least the right of the data subject to obtain human intervention on the part of the controller, to express his or her point of view and to object to the decision.

(4) The decisions referred to in paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures have been taken to safeguard the rights, freedoms and legitimate interests of the data subject.’

The Data Controller is entitled to make a decision based on automated data processing, including profiling, which would have legal effects on the Data Subject or would similarly significantly affect him/her, in the following cases:

  1. a) necessary for the conclusion or performance of a contract between the Data Subject and the Data Controller;
  2. b) the Controller is permitted to do so by applicable Union or Member State law which also lays down suitable measures to safeguard the rights and freedoms and legitimate interests of the Data Subject; or
  3. c) is based on the express consent of the Data Subject and
  4. d) the data processing pursuant to points a)-c) does not concern sensitive personal data (unless the processing of sensitive personal data is based on consent and is not prohibited by law, or the data processing is justified by legitimate public interest pursuant to law).

5.4. Data Protection Officer

5.4.1. Appointment of a Data Protection Officer

In order to ensure data processing activities in accordance with the law, the Data Controller appoints a Data Protection Officer, whose name and contact details are included in Annex 3.

5.4.2. Duties of the Data Protection Officer:

  1. a) provides information and professional advice to the Data Controller's employees regarding their obligations under the GDPR and other EU or domestic data protection provisions,
  2. b) checks compliance with the GDPR, other EU or domestic provisions, and compliance with this Policy, and is responsible for preparing and keeping this Policy up to date, in particular for preparing and keeping up to date the Controller's Register of Data Processing Activities,
  3. c) checks the assignment of tasks related to data management, participates in the internal audit activities of the Data Controller, makes proposals for regulations and amendments related to personal data protection, and provides opinions on regulators from the perspective of personal data protection,
  4. d) organize and monitor awareness-raising and training of personnel involved in data processing operations,
  5. e) provides professional advice on data protection impact assessments and monitors their completion;
  6. e) cooperates and consults with the Supervisory Authority on any issue, serves as a point of contact for the Supervisory Authority, and in this context participates in the Controller's data protection incident management activities.

5.4.3. Data Protection Officer procedure

If any employee of the Data Controller notices a circumstance requiring action in connection with data processing within the scope of the Data Controller's operations, he or she must proceed as follows:

  1. a) If a Data Subject submits a request related to data processing to him or to the Data Controller, he or she is obliged to notify the company's Data Protection Officer.
  2. b) If you experience an event indicating a data protection incident or obtain any other relevant information in this regard, you must immediately notify the Data Controller's top-level manager and must forward the relevant documents and information to him/her.

5.5. Records and documentation

The Data Controller ensures compliance with the laws applicable to its data management (data processing) activities based on the records to be detailed below and the documentation already specified in the Regulations, as well as the documentation specified in this point. The Data Controller (data processor) makes the records and specified documents available to the Supervisory Authority, but these documents do not qualify as public documents.

The Controller's records are kept by the Data Protection Officer.

5.5.1. Records of data processing activities

The Data Controller keeps a record of the data processing activities carried out by it and relating to personal data (AKNy), with content in accordance with the sample in Annex 2 to the Regulations.

The Data Controller continuously reviews and keeps the data management records up to date, in particular as follows:

– recording new data processing activities,

– deletion of discontinued data processing activities,

– change in data processing activity.

The data management register forms the basis of the Information Notices and only the data management included in the AKNy may be recorded in the information notices.

The Data Controller's work organization shall notify the data protection officer of the request to modify the AKNy, who shall ensure that the register is updated.

The AKNy forms the basis for the control and implementation of the obligation to delete personal data. The Data Controller reviews the data management records quarterly in cases where the data storage period is related to the end of a legal relationship, and if it records a period related to a limitation period. The AKNy is otherwise comprehensively reviewed every calendar year, in the third quarter of each calendar year.

If a data processing activity is deleted from the AKNy, the deletion of personal data related to the activity will be implemented simultaneously, and otherwise at the deletion review dates indicated above.

The measures taken regarding data deletion are documented by recording a report, which is then stored in a locked paper format and is locked electronically.

Before including a new data processing activity in the Data Protection Act, the Data Controller shall conduct an impact assessment to determine whether the data processing is likely to result in a high risk to the rights and freedoms of natural persons. The information on the impact assessment shall be included in the Data Protection Act.

5.5.2. Data processor register

If the Data Controller acts as a Data Processor, it shall keep records of the data processing carried out in accordance with the template set out in Annex 4 to the Regulations.

The review of the data processing record is otherwise governed by the rules governing the review of the data management record.

5.5.3. Data Protection Incident Records

The Controller shall keep a record of data protection incidents related to data processing activities concerning personal data pursuant to Article 33(5) of the GDPR. The record shall record the facts, circumstances, effects and measures related to the data protection incident.

The template for the Data Protection Incident Record is included in Annex 5 to these Regulations.

The Data Controller shall ensure that the Data Protection Incident Register is continuously updated. The AINy contains all incidents that have occurred with respect to the Data Controller, regardless of whether the Data Controller is obliged to report them to the Supervisory Authority or whether the Data Controller is obliged to notify the Data Subjects.

5.6. General rules regarding data processing activities

5.6.1. Storage, use and transfer of personal data within the scope of the Data Controller's operations

The Data Controller stores and uses, transmits within and outside the Data Controller, or otherwise processes personal data in accordance with the principles of the GDPR (Section 5.1 of the Regulation).

Detailed technical measures and security regulations are contained in the Data Controller's Information Security Policy.

Other organizational and technical measures are included in the Data Controller's Document Management Policy.

The Data Controller stores the data – according to its origin – as follows:

  • data that is processed on the basis of a written declaration, written contract/agreement, is stored in the original written form or in the form of an electronic copy of the original document,
  • stores data that were not generated on the basis of written statements in the form of audio or video recordings or in other electronic form.

When processing personal data within the Data Controller's organization, the Data Controller strives to minimize the transmission of paper or electronic copies of paper documents in order to ensure that this only occurs to the extent necessary to perform the given task.

5.6.2. Deleting personal data

The Data Controller ensures the deletion of certain personal data upon expiry of the period specified in the data management register or immediately after the decision to assess the Data Subject's request for deletion (including the exercise of the right to object in addition to the exercise of the right to deletion in the request for deletion).

In fulfilling the deletion obligation, the Data Controller deletes the personal data from the database, both in the electronic storage location and in the paper document.

5.6.3. Data security

The Data Controller (data processor) shall implement appropriate technical and organizational measures, taking into account the state of science and technology, the costs of implementation, and the risks posed by data processing activities to the rights and freedoms of natural persons, in order to guarantee a level of data security appropriate to the degree of risk, pursuant to Article 32 of the GDPR.

The Data Controller (data processor) ensures that its employees who have access to the personal data of the Data Subjects process the personal data in accordance with the law (unless they are required to deviate from this by a legal act of the European Union or Hungary).

5.7. Rules for using a data processor

The Data Controller shall only use a Data Processor for data processing that complies with the requirements of the GDPR. The Data Controller shall obtain a declaration from the Data Processor that the Data Processor complies with the requirements of the GDPR prior to the establishment of the contractual relationship.

The Data Processing Agreement must be concluded in writing simultaneously with the contract for the use of the Data Processor, either as a separate contract or as part of a contract with other content.

The work organization shall notify the Data Protection Officer in advance of its intention to conclude a contract related to data processing in order to ensure the legality of the data management records and the data processing records.

5.8. Data protection incident

5.8.1. Determining the Data Protection Incident

The Data Controller is aware that the data protection incident may cause physical, material or non-material damage to the Data Subjects, in particular the following:

– Loss of control over the data subject’s data or restriction of their rights,

– identity theft or identity misuse,

– financial loss,

– damage to reputation,

– breach of confidentiality of data subject to professional secrecy,

– discrimination,

– other significant economic or social disadvantage.

When determining a data protection incident, it is necessary to primarily determine its quality:

  • Confidentiality incident: accidental disclosure of, or access to, data,
  • integrity incident: accidental or unlawful alteration of data,
  • Accessibility incident: accidental or unlawful destruction or loss of data.

If any employee or collaborator of the Data Controller becomes aware of a data protection incident or suspects it, they shall immediately forward the relevant information to the Data Protection Officer.

Based on the facts and circumstances revealed by the investigation to be carried out immediately, and taking into account the risk assessment results of the data protection incident, the Data Protection Officer formulates a decision proposal to the Data Controller regarding the following:

  • whether the event qualifies as a data protection incident,
  • if a data protection incident has occurred, does it pose a risk to the rights and freedoms of natural persons and in which case there is an obligation to notify the supervisory authority,
  • Informing Data Subjects in the event of a high risk of an incident subject to the obligation to report to the supervisory authority.

The decision proposal prepared by the Data Protection Officer will also take into account the legitimate interests of law enforcement authorities in cases where premature disclosure would unnecessarily jeopardize the investigation of the circumstances of the case.

During the development of the decision proposal by the Data Protection Officer, other employees of the Data Controller – affected by events and circumstances – also contribute. At the same time as the decision to report to the supervisory authority and to inform the Data Subjects is made, the measures taken or to be taken to address the data protection incident are determined.

5.8.2. Reporting a data protection incident to the Supervisory Authority

GDPR Article 33 “(1) The controller shall notify the personal data breach to the supervisory authority competent pursuant to Article 72 without undue delay and, where feasible, not later than 55 hours after having become aware of the personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification is not made within 72 hours, it shall be accompanied by reasons justifying the delay.

(2) The data processor shall notify the data controller of the data protection incident without undue delay after becoming aware of it.

(3) The notification referred to in paragraph (1) shall include at least:

  1. (a) describe the nature of the data breach, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of data affected by the breach;
  2. (b) the name and contact details of the data protection officer or other contact person for further information must be provided;
  3. c) the likely consequences of the data protection incident must be described;
  4. d) describe the measures taken or planned by the controller to remedy the data protection incident, including, where applicable, measures aimed at mitigating any adverse consequences resulting from the data protection incident.

(4) If and to the extent that it is not possible to communicate the information simultaneously, it may be communicated in parts at a later date without further undue delay.

(5) The controller shall keep records of personal data breaches, indicating the facts relating to the personal data breach, its effects and the measures taken to remedy it. This record shall enable the supervisory authority to verify compliance with the requirements of this Article.”

5.8.3. Informing the Data Subject about the data protection incident

GDPR Article 34 “(1) Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall inform the data subject of the personal data breach without undue delay.

2. The information provided to the data subject referred to in paragraph 1 shall describe in a clear and intelligible manner the nature of the personal data breach and shall include at least the information and measures referred to in points (b), (c) and (d) of Article 33(3).

(3) The data subject shall not be required to be informed as referred to in paragraph (1) if any of the following conditions are met:

  1. a) the controller has implemented appropriate technical and organisational protection measures and these measures have been applied to the data affected by the data breach, in particular measures – such as the use of encryption – which make the data unintelligible to persons not authorised to access the personal data;
  2. (b) the controller has taken further measures following the personal data breach to ensure that the high risk to the rights and freedoms of the data subject referred to in paragraph (1) is no longer likely to materialise;
  3. (c) the provision of information would involve a disproportionate effort. In such cases, the data subjects shall be informed by means of publicly available information or a similar measure shall be taken which ensures that the data subjects are informed in a similarly effective manner.

(4) If the controller has not yet notified the data subject of the personal data breach, the supervisory authority may, after considering whether the personal data breach is likely to involve a high risk, order the data subject to be informed or determine that one of the conditions referred to in paragraph (3) is met.”

5.9. Legal remedies of the Data Subject

5.9.1. Right to lodge a complaint with the Supervisory Authority

GDPR Article 77 “(1) Without prejudice to other administrative or judicial remedies, each data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or the place of the alleged infringement, if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

(2) The supervisory authority to which the complaint has been lodged shall inform the customer of the procedural developments and the outcome of the complaint, including the customer's right to a judicial remedy pursuant to Article 78.

5.9.2. Right to an effective judicial remedy against the Supervisory Authority

GDPR Article 78 “(1) Without prejudice to other administrative or non-judicial remedies, every natural or legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning him or her.

(2) Without prejudice to other administrative or non-judicial remedies, every data subject shall have the right to an effective judicial remedy where the supervisory authority competent pursuant to Article 55 or 56 does not deal with the complaint or does not inform the data subject of the progress or outcome of the complaint lodged pursuant to Article 77 within three months.

(3) Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

(4) If proceedings are brought against a decision of the supervisory authority in relation to which the Board has previously issued an opinion or taken a decision within the framework of the consistency mechanism, the supervisory authority shall be obliged to send that opinion or decision to the court.”

The lawsuit falls within the jurisdiction of the competent court.

5.9.3. Right to an effective judicial remedy against the Controller or the Processor

GDPR Article 79 “(1) Without prejudice to any administrative or non-judicial remedies available to you, including the right to lodge a complaint with a supervisory authority pursuant to Article 77, every data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of personal data concerning him or her not complying with this Regulation.

(2) Proceedings against a controller or processor shall be brought before the courts of the Member State in which the controller or processor is established. Such proceedings may also be brought before the courts of the Member State in which the data subject has his habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its official authority.’

The lawsuit falls within the jurisdiction of the competent court.

6. Newsletter subscription and sending

Purpose of data processing: The name and e-mail address voluntarily provided by subscribers will be processed exclusively for the purpose of sending newsletters.
Legal basis for data processing: Based on the consent of the data subjects (GDPR Article 6 (1) a)).
Duration of data processing: The data will be processed until the consent is withdrawn.
Rights of data subjects: Data subjects have the right to request information, correction, deletion of their data, and restriction of data processing at the central contact point of our hotel and restaurant, at hotel@landplanhotel.hu address.

 

 

Mellekletek

  1. Annex No.: Purposes and means of processing personal data (sample)
  2. Annex No.: Register of data processing activities (sample)
  3. Annex No.: Designation of Data Protection Officer
  4. Annex No.: Data processing register (sample)
  5. Annex No.: Data Protection Incident Register (sample)

Annex No. 1

Purposes and means of processing personal data

  1. Purposes of processing personal data
1. Main goal
1.1 Sub-goal
1.2 Sub-goal

 

  1. Tools for processing personal data

 

  IT service Type/designation
1. Filing/Document Management System
2. Mailing system
3. Labor system
4. Salary system
5. Accounting system
6. Access control system
7. Camera system
8. GPS system
9. IT security system
10. Website

Annex No. 2

Data controller name: Land Plan Kft.

Data Protection Officer

name: Dr. Nóra Nagy
Availability: borbely.bea@landplanhotel.hu Availability: dr.nagy.nora.avt@upcmail.hu

 

RECORDING OF DATA PROCESSING ACTIVITIES

 

AKN number

Data subject category and personal data category

(with special data marked separately)

 Purpose of data management

Data handling

legal basis

 Purpose and legal basis of data transfer Recipient of data transfer Targeted deletion time for a data category

General description of technical and organizational measures pursuant to Article 32(1) GDPR

a) -method of information

– existence of consent

– existence of a data processing contract

b) – risk level

– data security measure

 Notes, other data required by law
1.1. Affected category
1.1.1 Personal data category

 

Annex No. 3

DATA PROTECTION OFFICER

ITEM IDENTIFICATION AND CONTACT DETAILS

Data Protection Officer of the Data Controller: Dr. Nóra Nagy

Phone number: 46/412-327

Fax number: 46/415-623

Email: dr.nagy.nora.avt@upcmail.hu

4Annex No.

Data processor name: Land Plan Kft.

Data Protection Officer

name: Dr. Nóra Nagy
Availability: borbely.bea@landplanhotel.hu Availability: dr.nagy.nora.avt@upcmail.hu

 

DATA PROCESSING RECORDS

 

Name, contact details, representative of the data controller and name and contact details of the data controller's data protection officer Date and duration of data processing contract Data subject category and personal data category Purpose of data processing Name and contact details of the sub-processor, its representative and the name and contact details of the data protection officer Purpose and legal basis of data transfer Recipient of data transfer General description of technical and organizational measures pursuant to Article 32(1) of the GDPR
               
               
               

 

Annex No. 5

Data processor name: Land Plan Kft.

Data Protection Officer

name: Dr. Nóra Nagy
Availability: borbely.bea@landplanhotel.hu Availability: dr.nagy.nora.avt@upcmail.hu

 

Data protection incident registration

  1. A) Event
serial number designation Notification date to AVT

 

  1. B) Facts related to the event
  • What happened?
  • Where did it happen?
  • When did it happen?
  • Why did it happen?
  1. C) Incident classification, impact
  • Risk category
  • Effect/Consequence
  • Course
  • AVT proposal date
  • Obligation to report to authorities (yes/no)
  • Date, registration number
  • Obligation to inform the data subject (yes/no)
  • Date, registration number
  1. D) Incident Remediation
  • Immediate Action
  • Description of measure
  1. E) Notes